Re: "Workstation" Product defaults to wide-open firewall

On 12/09/2014 09:27 AM, Robert Marcano wrote: What I see frequently are applications that are installed from outside the Fedora repositories, that can be forced to behave like Fedora packaging rules, with secure defaults before sharing, being installed and the user that don't know much about fir

Re: "Workstation" Product defaults to wide-open firewall

On Tue, 2014-12-09 at 14:41 +0100, Michael Catanzaro wrote: > On Mon, 2014-12-08 at 18:56 -0800, M. Edward (Ed) Borasky wrote: > > is Workstation the only Fedora-branded release with those ports open? > > Yes No, actually. The Fedora Cloud ships with no firewall at all (but that's because it's

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > > > Am 09.12.2014 um 14:32 schrieb Bastien Nocera: > >> Am 09.12.2014 um 14:23 schrieb Bastien Nocera: > >>> [1]: I haven't seen anything but arm-flailing on that issue. If somebody > >>> wants to > >>> go into details about what a server running inside the user's

Re: "Workstation" Product defaults to wide-open firewall

On 12/09/2014 09:20 AM, Michael Catanzaro wrote: On Mon, 2014-12-08 at 17:08 -0430, Robert Marcano wrote: Adding to that, this decision bring me memories to the awful old case when someone decided that the install anything from the repositories was permitted to any user on the system by default,

Re: "Workstation" Product defaults to wide-open firewall

On 12/09/2014 08:53 AM, Reindl Harald wrote: Am 09.12.2014 um 14:16 schrieb Bastien Nocera: On Tue, Dec 09, 2014 at 12:54:59PM +0100, Gerd Hoffmann wrote: Why we can't have something like this? And if you don't want a popup asking, have something in the NetworkManager applet menu, where peop

Re: "Workstation" Product defaults to wide-open firewall

On Mon, 2014-12-08 at 17:08 -0430, Robert Marcano wrote: > Adding to that, this decision bring me memories to the awful old case > when someone decided that the install anything from the repositories > was > permitted to any user on the system by default, that was reverted > with > an update bec

Re: "Workstation" Product defaults to wide-open firewall

On 9 December 2014 at 13:39, Michael Catanzaro wrote: > So your challenge is to find an alternative default that > supports it. I'd go even further. I don't think the people writing the vast number of lengthy posts on this thread actually want to *use* workstation, with the possible exception of

Re: "Workstation" Product defaults to wide-open firewall

On Tue, Dec 09, 2014 at 02:41:08PM +0100, Michael Catanzaro wrote: > > is Workstation the only Fedora-branded release with those ports open? > Yes Well, no. Fedora Cloud doesn't include any iptables rules by default. (The assumption is that it'll be run in a cloud environment with security groups

Re: "Workstation" Product defaults to wide-open firewall

On Tue, Dec 09, 2014 at 01:11:33PM +, Ian Malone wrote: > > have a proposal for a new spin focused on privacy and security — the > > Netizen Spin. (If you're interested, I think that could use additional > > contributors.) > I was under the impression spins were to be phased out. I could be > w

Re: "Workstation" Product defaults to wide-open firewall

Am 09.12.2014 um 14:32 schrieb Bastien Nocera: Am 09.12.2014 um 14:23 schrieb Bastien Nocera: [1]: I haven't seen anything but arm-flailing on that issue. If somebody wants to go into details about what a server running inside the user's session would be able to do that a client wouldn't be ab

Re: "Workstation" Product defaults to wide-open firewall

On Mon, 2014-12-08 at 18:56 -0800, M. Edward (Ed) Borasky wrote: > is Workstation the only Fedora-branded release with those ports open? Yes signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mai

Re: "Workstation" Product defaults to wide-open firewall

On Mon, 2014-12-08 at 16:41 +0100, Kevin Kofler wrote: > So you rather implement the type of OS that just always assumes "Yes" > without even asking? Because that's what the current "firewall" rules > do > (between quotes because it can hardly be called a firewall in that > state). > How's that

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > > Am 09.12.2014 um 14:23 schrieb Bastien Nocera: > > [1]: I haven't seen anything but arm-flailing on that issue. If somebody > > wants to > > go into details about what a server running inside the user's session would > > be > > able to do that a client wouldn't b

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > > > Am 09.12.2014 um 14:16 schrieb Bastien Nocera: > >> On Tue, Dec 09, 2014 at 12:54:59PM +0100, Gerd Hoffmann wrote: > >>> Why we can't have something like this? And if you don't want a popup > >>> asking, have something in the NetworkManager applet menu, where

Re: "Workstation" Product defaults to wide-open firewall

Am 09.12.2014 um 14:23 schrieb Bastien Nocera: [1]: I haven't seen anything but arm-flailing on that issue. If somebody wants to go into details about what a server running inside the user's session would be able to do that a client wouldn't be able to, feel free. you realize the difference b

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Tue, 09 Dec 2014 10:08:06 +0100 > Nikos Mavrogiannopoulos wrote: > > > On Tue, 2014-12-09 at 17:29 +1030, William B wrote: > > > > > I just happened to look at the firewalld default settings, and I > > > > >

Re: "Workstation" Product defaults to wide-open firewall

Am 09.12.2014 um 14:16 schrieb Bastien Nocera: On Tue, Dec 09, 2014 at 12:54:59PM +0100, Gerd Hoffmann wrote: Why we can't have something like this? And if you don't want a popup asking, have something in the NetworkManager applet menu, where people can easily find the switch without having t

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > On Tue, Dec 09, 2014 at 12:54:59PM +0100, Gerd Hoffmann wrote: > > Why we can't have something like this? And if you don't want a popup > > asking, have something in the NetworkManager applet menu, where people > > can easily find the switch without having to searc

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > On 9 December 2014 at 11:35, Michael Catanzaro wrote: > > On Mon, 2014-12-08 at 10:49 -0500, Bastien Nocera wrote: > >> If Reindl, Kevin or Tomas want to disagree with that, I'll give you a > >> little > >> exercise: > >> Having just installed and updated my Fedora

Re: "Workstation" Product defaults to wide-open firewall

On 8 December 2014 at 15:33, Matthew Miller wrote: > On Mon, Dec 08, 2014 at 02:31:58PM +, Ian Malone wrote: >> There are three products: workstation, server, cloud. Workstation is >> the one for desktop use. That leaves server to aim for the traditional >> fedora user base, since cloud is (un

Re: "Workstation" Product defaults to wide-open firewall

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 09 Dec 2014 10:08:06 +0100 Nikos Mavrogiannopoulos wrote: > On Tue, 2014-12-09 at 17:29 +1030, William B wrote: > > > > I just happened to look at the firewalld default settings, and I > > > > was not amused when I noticed this: > > > > http:

Re: "Workstation" Product defaults to wide-open firewall

On Tue, 2014-12-09 at 07:27 +0100, Kevin Kofler wrote: > Stephen Gallagher wrote: > > Also, while I think it's been unclear in this thread, the main reason > > that the firewall GUI was taken out was because the Workstation guys > > want to design a more user-understandable one and include that

Re: "Workstation" Product defaults to wide-open firewall

On Tue, 2014-12-09 at 03:34 +0100, Kevin Kofler wrote: > Because Fedora is aggressively marketing a Product with a major > security > vulnerability as its primary Product. To the extent that this is any argument at all: neither Ubuntu nor Debian enables a firewall. signature.asc Description: Th

Re: "Workstation" Product defaults to wide-open firewall

On 9 December 2014 at 11:35, Michael Catanzaro wrote: > On Mon, 2014-12-08 at 10:49 -0500, Bastien Nocera wrote: >> If Reindl, Kevin or Tomas want to disagree with that, I'll give you a >> little >> exercise: >> Having just installed and updated my Fedora 20, I want to share a >> video in my >> ho

Re: "Workstation" Product defaults to wide-open firewall

On Tue, Dec 09, 2014 at 12:35:23PM +0100, Michael Catanzaro wrote: > We are concerned with practical security -- keeping the user safe by > anticipating the user's typical response to situations. But if you think > the firewall configuration GUI in F20 existed for any purpose other than > to comple

Re: "Workstation" Product defaults to wide-open firewall

On Tue, Dec 09, 2014 at 12:54:59PM +0100, Gerd Hoffmann wrote: > Why we can't have something like this? And if you don't want a popup > asking, have something in the NetworkManager applet menu, where people > can easily find the switch without having to search for it? A "[x] > allow sharing" chec

Re: "Workstation" Product defaults to wide-open firewall

Hi, > > I also thought that the whole points of having Zones etc, was so that > > we could pick a different zone per network connection, /me too. > > so if I'm in the office or at home I can say use this zone, if I'm > > at a coffee shop I can pick a different one etc. > > > > Or was this con

Re: "Workstation" Product defaults to wide-open firewall

On Mon, 2014-12-08 at 10:49 -0500, Bastien Nocera wrote: > If Reindl, Kevin or Tomas want to disagree with that, I'll give you a > little > exercise: > Having just installed and updated my Fedora 20, I want to share a > video in my > home directory using UPnP/DLNA to my TV, using rygel for example.

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > Stephen Gallagher wrote: > > Also, while I think it's been unclear in this thread, the main reason > > that the firewall GUI was taken out was because the Workstation guys > > want to design a more user-understandable one and include that directly > > (if I am remem

Re: "Workstation" Product defaults to wide-open firewall

On Mon, 2014-12-08 at 16:30 +0100, Kevin Kofler wrote: > Bastien Nocera wrote: > If this had been discussed on this list, as it is supposed to, the > objections would have come in much earlier. If you're interested in Workstation-specific features, you need to subscribe to desk...@lists.fedorapro

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > > > > > > > > > > sudo firewall-cmd --set-default-zone=FedoraServer > > > That will limit it to SSH, DHCPv6 and cockpit > > > > > > Or use default zone "Public", which swaps cockpit out and adds mDNS > > > > > > Or if you're "Reindl Harald"-level paranoid (no offen

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > As one who maintains a remix for journalists, I expect the default for > a workstation should be that you mus* explicitly know what you are > doing to open a port, and enable or start a service - the default > release should have a minimum attack surface by design.

Re: "Workstation" Product defaults to wide-open firewall

Am 09.12.2014 um 10:08 schrieb Nikos Mavrogiannopoulos: On Tue, 2014-12-09 at 17:29 +1030, William B wrote: I just happened to look at the firewalld default settings, and I was not amused when I noticed this: http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml Th

Re: "Workstation" Product defaults to wide-open firewall

On Tue, 2014-12-09 at 17:29 +1030, William B wrote: > > > I just happened to look at the firewalld default settings, and I > > > was not amused when I noticed this: > > > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml > > > > > > > > > > > This "firewall" is a joke!

Re: "Workstation" Product defaults to wide-open firewall

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > > I just happened to look at the firewalld default settings, and I > > was not amused when I noticed this: > > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml > > > > > > > > This "firewall" is a joke! ALL higher ports

Re: "Workstation" Product defaults to wide-open firewall

Stephen Gallagher wrote: > Also, while I think it's been unclear in this thread, the main reason > that the firewall GUI was taken out was because the Workstation guys > want to design a more user-understandable one and include that directly > (if I am remembering that conversation correctly). The

Re: "Workstation" Product defaults to wide-open firewall

> The best analogy would probably be a condom with a whopping 129024 > holes in it. That's a horrible analogy, and totally inappropriate for this mailing list. Could we please keep this civil and reasonable? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mai

Re: "Workstation" Product defaults to wide-open firewall

I wrote: > Indeed. The best analogy would probably be a condom with a whopping 129024 > holes in it. (That's the number of ports that are left open by only the 2 > blanket firewalld rules quoted in my thread-starting post.) What kind of > protection do you expect from that? Correction: The 2 offen

Re: "Workstation" Product defaults to wide-open firewall

Christopher wrote: > I think you're being overly dismissive of legitimate security concerns. > The whole purpose of a firewall is to lock down the system from > unintentional network traffic. The default installation of the > "Workstation" product does not perform this function. This isn't paranoia

Re: "Workstation" Product defaults to wide-open firewall

On Mon, Dec 8, 2014 at 10:36 PM, Matthias Clasen wrote: > On Tue, 2014-12-09 at 01:35 +0100, Kevin Kofler wrote: > > > > To me, it is obvious that the Workstation WG is in deliberate contempt of > > FESCo's decision. That alone ought to lead to sanctions from FESCo. In > > addition, FESCo's decis

Re: "Workstation" Product defaults to wide-open firewall

On Tue, 2014-12-09 at 01:35 +0100, Kevin Kofler wrote: > > To me, it is obvious that the Workstation WG is in deliberate contempt of > FESCo's decision. That alone ought to lead to sanctions from FESCo. In > addition, FESCo's decision must be implemented properly by a security update > ASAP. A wid

Re: "Workstation" Product defaults to wide-open firewall

On Mon, Dec 8, 2014 at 6:37 PM, Kevin Kofler wrote: > What we want this discussion to lead to is: > 1. the decision to get fixed in a security update, like the PolicyKit > policy >for PackageKit in F12 (which was also deliberate, but broken) was, and > Agreed - is Workstation the only Fedora-

Re: "Workstation" Product defaults to wide-open firewall

Matthias Clasen wrote: > It is clear by now that you don't agree with the decision the > workstation WG has taken on this topic. I don't think rehashing the same > arguments over and over will lead to any new insights. What we want this discussion to lead to is: 1. the decision to get fixed in a s

Re: "Workstation" Product defaults to wide-open firewall

Bastien Nocera wrote: > - Original Message - >> Bastien Nocera wrote: >> > Security is about compromises. The net result of the old firewall >> > settings was people disabling the firewall. >> >> And the net result of the new firewall settings is you disabling the >> firewall for them, >

Re: "Workstation" Product defaults to wide-open firewall

+1 - I've added 'firewall-config' to my remix and changed the default zone to 'public'. I'm not sure what the impact would be of closing off dhcpv6-client and mdns is so I left those open. I left ssh open because the service is disabled by default. On Mon, Dec 8, 2014 at 4:35 PM, Kevin Kofler wro

Re: "Workstation" Product defaults to wide-open firewall

On Tue, 2014-12-09 at 01:28 +0100, Kevin Kofler wrote: > Matthew Miller wrote: > > Whether you agree or not, reasonable people argue that a host-based packet > > filter isn't really a meaningful increase in security. I don't think we're > > _really_ leaving the security emphasis behind. > > And

Re: "Workstation" Product defaults to wide-open firewall

Alec Leamas wrote: > Tracking this issue back we find [1] where the workstation group tried > to just disable the firewall. This started some threads. FESCO rejected > the change request. > > For me, this issue then disappeared from my radar. It seems that after > FESCO turned down the wide-open

Re: "Workstation" Product defaults to wide-open firewall

Matthew Miller wrote: > Whether you agree or not, reasonable people argue that a host-based packet > filter isn't really a meaningful increase in security. I don't think we're > _really_ leaving the security emphasis behind. And I argue that the firewall is by far the most important security mech

Re: "Workstation" Product defaults to wide-open firewall

On 8 December 2014 at 16:41, Reindl Harald wrote: > > Am 09.12.2014 um 00:31 schrieb Stephen John Smoogen: > >> On 8 December 2014 at 16:17, Mike Pinkerton > > wrote: >> >> >> >> We could have decided to double-down on growing that enthusiast >> seg

Re: "Workstation" Product defaults to wide-open firewall

Am 09.12.2014 um 00:31 schrieb Stephen John Smoogen: On 8 December 2014 at 16:17, Mike Pinkerton mailto:pseli...@mindspring.com>> wrote: We could have decided to double-down on growing that enthusiast segment, but, first, that's not what the people who showed up to do

Re: "Workstation" Product defaults to wide-open firewall

On 8 December 2014 at 16:17, Mike Pinkerton wrote: > > > We could have decided to double-down on growing that enthusiast >> segment, but, first, that's not what the people who showed up to do the >> work decided; and second, I actually think we continue to serve the >> hackers and tinkerers very

Re: "Workstation" Product defaults to wide-open firewall

On 8 Dec 2014, at 17:07, Matthew Miller wrote: On Mon, Dec 08, 2014 at 03:20:30PM -0500, Mike Pinkerton wrote: burning your old market when trying to grow a new one. From a marketing standpoint, that is just crazy. In a for-profit company, where products are connected to revenue streams, it

Re: "Workstation" Product defaults to wide-open firewall

On Mon, Dec 08, 2014 at 11:54:30PM +0100, Alec Leamas wrote: > When a lot of people are surprised, isn't that a sign of a process > problem? Should we try to avoid surprises like this?. If so, how? > > (I'm not trying to be argumentative or to blame anyone; if my pidgin > English gives that impres

Re: "Workstation" Product defaults to wide-open firewall

This would be a good topic for the retrospective, I think. https://fedoraproject.org/wiki/Fedora_21_Retrospective#Could_have_been_better ;-) In my specific case, 'firewall-cmd --set-default-zone=public' in my kickstart file makes this issue go away. On Mon, Dec 8, 2014 at 2:54 PM, Alec Leamas w

Re: "Workstation" Product defaults to wide-open firewall

On 08/12/14 16:33, Matthew Miller wrote: On Mon, Dec 08, 2014 at 02:31:58PM +, Ian Malone wrote: There are three products: workstation, server, cloud. Workstation is the one for desktop use. That leaves server to aim for the traditional fedora user base, since cloud is (understandably) a ver

Re: "Workstation" Product defaults to wide-open firewall

On Mon, Dec 08, 2014 at 03:20:30PM -0500, Mike Pinkerton wrote: > burning your old market when trying to grow a new one. From a > marketing standpoint, that is just crazy. In a for-profit company, > where products are connected to revenue streams, it would be a "you > just bet your career" move w

Re: "Workstation" Product defaults to wide-open firewall

> > > > > > sudo firewall-cmd --set-default-zone=FedoraServer > > That will limit it to SSH, DHCPv6 and cockpit > > > > Or use default zone "Public", which swaps cockpit out and adds mDNS > > > > Or if you're "Reindl Harald"-level paranoid (no offense intended, Harald > > but you're the most paran

Re: "Workstation" Product defaults to wide-open firewall

On 12/08/2014 04:31 PM, Stephen Gallagher wrote: On Mon, 2014-12-08 at 07:41 +0100, Kevin Kofler wrote: Hi, I just happened to look at the firewalld default settings, and I was not amused when I noticed this: http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml

Re: "Workstation" Product defaults to wide-open firewall

On Mon, 2014-12-08 at 07:41 +0100, Kevin Kofler wrote: > Hi, > > I just happened to look at the firewalld default settings, and I was not > amused when I noticed this: > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml > > > > > This "firewall" is a joke! ALL hig

Re: "Workstation" Product defaults to wide-open firewall

As one who maintains a remix for journalists, I expect the default for a workstation should be that you mus* explicitly know what you are doing to open a port, and enable or start a service - the default release should have a minimum attack surface by design. As a result of this discussion I plan t

Re: "Workstation" Product defaults to wide-open firewall

On 8 Dec 2014, at 10:33, Matthew Miller wrote: On Mon, Dec 08, 2014 at 02:31:58PM +, Ian Malone wrote: There are three products: workstation, server, cloud. Workstation is the one for desktop use. That leaves server to aim for the traditional fedora user base, since cloud is (understand

Re: "Workstation" Product defaults to wide-open firewall

On Mon, 2014-12-08 at 18:40 +0100, Reindl Harald wrote: > * vulnerable port open Yeah, see, this bit right here is the actual issue. Curiously, AV software on Other Operating Systems has had the ability to delegate this very policy decision to the user session for at least a decade, and yet nobo

Re: "Workstation" Product defaults to wide-open firewall

> So the target audience has shifted from developers to developers who > don't understand ports, don't like user prompts and are behind > enterprise firewalls. Certainly not. I've never assumed I was an "average user". There are many different reasons why people might want a more open firewall

Re: "Workstation" Product defaults to wide-open firewall

On Mon, Dec 8, 2014 at 11:03 PM, DJ Delorie wrote: > I, for one, am happy to welcome our new more-reasonable-less-paranoid > overlords. I've been disabling my firewall for ages, as my machines > are behind an enterprise firewall anyway. So the target audience has shifted from developers to devel

Re: "Workstation" Product defaults to wide-open firewall

> > I, for one, am happy to welcome our new more-reasonable-less-paranoid > > overlords. I've been disabling my firewall for ages, as my machines > > are behind an enterprise firewall anyway > > that don't apply for a notebook, especially not if the enduser is=20 > connected to a public WLAN and

Re: "Workstation" Product defaults to wide-open firewall

Am 08.12.2014 um 18:33 schrieb DJ Delorie: Next time, don't be 6 month late if you're going to be flippant. I, for one, am happy to welcome our new more-reasonable-less-paranoid overlords. I've been disabling my firewall for ages, as my machines are behind an enterprise firewall anyway that

Re: "Workstation" Product defaults to wide-open firewall

> Next time, don't be 6 month late if you're going to be flippant. I, for one, am happy to welcome our new more-reasonable-less-paranoid overlords. I've been disabling my firewall for ages, as my machines are behind an enterprise firewall anyway. -- devel mailing list devel@lists.fedoraproject.

Re: "Workstation" Product defaults to wide-open firewall

Am 08.12.2014 um 17:20 schrieb Bastien Nocera: Am 08.12.2014 um 17:10 schrieb Bastien Nocera: There's a few more items that will be opened I'm afraid. And one of the reasons why we block root ports is to avoid regressions like rpcbind listening by default, which was due to a bug in packaging.

Re: "Workstation" Product defaults to wide-open firewall

Am 08.12.2014 um 17:17 schrieb Bastien Nocera: Am 08.12.2014 um 17:10 schrieb Bastien Nocera: Security is about compromises. The net result of the old firewall settings was people disabling the firewall. And the net result of the new firewall settings is you disabling the firewall for them,

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > > Am 08.12.2014 um 17:10 schrieb Bastien Nocera: > > There's a few more items that will be opened I'm afraid. And one of the > > reasons > > why we block root ports is to avoid regressions like rpcbind listening > > by default, which was due to a bug in packaging.

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > > Am 08.12.2014 um 17:10 schrieb Bastien Nocera: > >>> Security is about compromises. The net result of the old firewall > >>> settings > >>> was people disabling the firewall. > >> > >> And the net result of the new firewall settings is you disabling the > >> fire

Re: "Workstation" Product defaults to wide-open firewall

Am 08.12.2014 um 17:10 schrieb Bastien Nocera: There's a few more items that will be opened I'm afraid. And one of the reasons why we block root ports is to avoid regressions like rpcbind listening by default, which was due to a bug in packaging. So what you call "no firewall" would actually hav

Re: "Workstation" Product defaults to wide-open firewall

Am 08.12.2014 um 17:10 schrieb Bastien Nocera: Security is about compromises. The net result of the old firewall settings was people disabling the firewall. And the net result of the new firewall settings is you disabling the firewall for them, It's not disabled it is practically the only

Re: "Workstation" Product defaults to wide-open firewall

On Mon, 2014-12-08 at 17:08 +0100, Reindl Harald wrote: > Am 08.12.2014 um 16:55 schrieb Bastien Nocera: > >>> You're free to select another firewall zone. > >> > >> How, when you don't even install the firewall configuration tool by > >> default? > > > > Settings -> Network, select your network -

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > Bastien Nocera wrote: > > Security is about compromises. The net result of the old firewall settings > > was people disabling the firewall. > > And the net result of the new firewall settings is you disabling the > firewall for them, It's not disabled. > and also

Re: "Workstation" Product defaults to wide-open firewall

Am 08.12.2014 um 16:55 schrieb Bastien Nocera: You're free to select another firewall zone. How, when you don't even install the firewall configuration tool by default? Settings -> Network, select your network -> Identity -> Firewall zone that's possible with one click? fine, then the onl

Re: "Workstation" Product defaults to wide-open firewall

Am 08.12.2014 um 16:49 schrieb Bastien Nocera: Make sure to note that I'm convinced that the new firewall settings in Fedora Workstation 21 are more secure than what was available in Fedora 20's default settings. If Reindl, Kevin or Tomas want to disagree with that, I'll give you a little exerc

Re: "Workstation" Product defaults to wide-open firewall

Bastien Nocera wrote: > Security is about compromises. The net result of the old firewall settings > was people disabling the firewall. And the net result of the new firewall settings is you disabling the firewall for them, and also for all those people out there (like me) who were NOT disabling

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > Bastien Nocera wrote: > > You're free to select another firewall zone. > > How, when you don't even install the firewall configuration tool by default? Settings -> Network, select your network -> Identity -> Firewall zone -- devel mailing list devel@lists.fedorap

Re: "Workstation" Product defaults to wide-open firewall

Bastien Nocera wrote: > You're free to select another firewall zone. How, when you don't even install the firewall configuration tool by default? Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduc

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > On Mon, Dec 08, 2014 at 02:31:58PM +, Ian Malone wrote: > > There are three products: workstation, server, cloud. Workstation is > > the one for desktop use. That leaves server to aim for the traditional > > fedora user base, since cloud is (understandably) a ve

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > if your discussions leaded to the decisions also used the quoting style > like in that thread only contain "myself said" i guess what went wrong > in the first place > > i am still unsure if that's > > * intentional to mask communication > * just a bad usage of you

Re: "Workstation" Product defaults to wide-open firewall

Bastien Nocera wrote: > Yeah, that's so useful. "Oh, you clicked it, it's your fault". That's not > the type of OS I want to help implement, sorry. So you rather implement the type of OS that just always assumes "Yes" without even asking? Because that's what the current "firewall" rules do (betw

Re: "Workstation" Product defaults to wide-open firewall

if your discussions leaded to the decisions also used the quoting style like in that thread only contain "myself said" i guess what went wrong in the first place i am still unsure if that's * intentional to mask communication * just a bad usage of your mail-client in any case it's not the def

Re: "Workstation" Product defaults to wide-open firewall

On Mon, Dec 08, 2014 at 02:31:58PM +, Ian Malone wrote: > There are three products: workstation, server, cloud. Workstation is > the one for desktop use. That leaves server to aim for the traditional > fedora user base, since cloud is (understandably) a very different > thing. So if you want a

Re: "Workstation" Product defaults to wide-open firewall

Bastien Nocera wrote: > This was discussed, and implemented in the open, and I sent the details of > the feature, and how it would be implemented to the fedora desktop list, > as is customary for Workstation features. That's the problem, you discuss everything in your private playground where you

Re: "Workstation" Product defaults to wide-open firewall

You're completely right, I won't follow security experts' ideas on UI, just as I won't follow a UX designers' ideas on security. I was happy to act as the go between to fix a long-standing problem, only to be told 6 month later that they accepted the change because we gave them a choice that was

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > On 12/08/2014 03:45 PM, Bastien Nocera wrote: > > > > > > - Original Message - > >> On 12/08/2014 03:12 PM, Bastien Nocera wrote: > >>> > >>> > >>> - Original Message - > On 12/08/2014 12:51 PM, Bastien Nocera wrote: > >>> > This is wrong

Re: "Workstation" Product defaults to wide-open firewall

Am 08.12.2014 um 15:45 schrieb Bastien Nocera: On 12/08/2014 12:51 PM, Bastien Nocera wrote: This is wrong and you know about that - the firewalld folks have been urged to use this zone for the Workstation product - it was a Workstation team decision. What?! We discussed it, and it was dee

Re: "Workstation" Product defaults to wide-open firewall

On 12/08/2014 03:45 PM, Bastien Nocera wrote: - Original Message - On 12/08/2014 03:12 PM, Bastien Nocera wrote: - Original Message - On 12/08/2014 12:51 PM, Bastien Nocera wrote: This is wrong and you know about that - the firewalld folks have been urged to use this zon

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > On 12/08/2014 03:12 PM, Bastien Nocera wrote: > > > > > > - Original Message - > >> On 12/08/2014 12:51 PM, Bastien Nocera wrote: > > > >> This is wrong and you know about that - the firewalld folks have been > >> urged to use this zone for the Workstation

Re: "Workstation" Product defaults to wide-open firewall

On 8 December 2014 at 13:45, Matthew Miller wrote: > On Mon, Dec 08, 2014 at 12:11:40PM +, Ian Malone wrote: >> >> >>> You're free to select another firewall zone >> And free to move to another distro of course. > > Well, or free to select another Fedora offering, or configure you > systems to

Re: "Workstation" Product defaults to wide-open firewall

On 12/08/2014 03:12 PM, Bastien Nocera wrote: - Original Message - On 12/08/2014 12:51 PM, Bastien Nocera wrote: This is wrong and you know about that - the firewalld folks have been urged to use this zone for the Workstation product - it was a Workstation team decision. What?! We

Re: "Workstation" Product defaults to wide-open firewall

- Original Message - > On 12/08/2014 12:51 PM, Bastien Nocera wrote: > This is wrong and you know about that - the firewalld folks have been > urged to use this zone for the Workstation product - it was a > Workstation team decision. What?! We discussed it, and it was deemed acceptable

Re: "Workstation" Product defaults to wide-open firewall

On 12/08/2014 10:50 AM, Bastien Nocera wrote: - Original Message - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We don't need open or preconfigured high ports. What we really need is a user notification with options to allow or deny like we do with SELinux. That would be a appropri

Re: "Workstation" Product defaults to wide-open firewall

On 12/08/2014 12:51 PM, Bastien Nocera wrote: - Original Message - Am 08.12.2014 um 12:34 schrieb Bastien Nocera: Am 08.12.2014 um 11:45 schrieb Bastien Nocera: Well, I'll understand these aspects. But when I think about Linux, especially about Fedora, I'm thinking about the freed

Re: "Workstation" Product defaults to wide-open firewall

On Mon, Dec 08, 2014 at 11:40:30AM +0100, Michael Spahn wrote: > I hope it's not needed to mentions that we are not Ubuntu, Windows or > OSx. We are a free and open Linux distribution and every step in > another direction is an attack against the ideas of free open source > and open mind. Let's pl

Re: "Workstation" Product defaults to wide-open firewall

On Mon, Dec 08, 2014 at 12:11:40PM +, Ian Malone wrote: > >> >>> You're free to select another firewall zone > And free to move to another distro of course. Well, or free to select another Fedora offering, or configure you systems to not be Fedora Workstation. The defaults are different in th

Re: "Workstation" Product defaults to wide-open firewall

On Mon, Dec 08, 2014 at 07:56:28AM -0500, Bastien Nocera wrote: > Rootkit won't require opened *server* ports. It will contact a command > server through a client port, which requires no special privileges. If > you blocked the firewall for user applications, you just made the > system a pain to

Re: "Workstation" Product defaults to wide-open firewall

Am 08.12.2014 um 13:56 schrieb Bastien Nocera: Am 08.12.2014 um 13:39 schrieb Bastien Nocera: Well, it's in your hands now, and every application developer's hands, if RH is going to be turning the default firewall off. Not Red Hat, Fedora. And it's not off by default either. It's disabled fo

<    1   2   3   >